Please note that this message was sent from an unmonitored mailbox which
is unable to accept replies. If you reply to this e-mail your request
will not be actioned. If you require copy invoices, copy statements,
card ordering or card stopping please e-mail
support@fuelcardservices.com quoting your account number which can be
found in the e-mail below. If your query is sales related please e-mail
info@fuelcardservices.com.

If you would like to order more fuel cards please click
http://www.fuelcard-group.com/cardorder/bp-burnley.pdf

If you have any queries, please do not hesitate to contact us.

Regards

Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see
http://www.fuelcardservices.com/ebill.pdf).

Please also note that if you cannot open this attachment and are using
Outlook Express
to view your mail you should select Tools / Options / Security Tab and
deselect the
option marked "Do not allow attachments to be opened that potentially
may be a virus".
All of our outgoing mail is fully virus scanned but we recommend this
facility is
re-enabled if you do not use virus scanning software.

I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro [pastebin] which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:

www.trulygreen.net/43543r34r/843tf.exe

also reported is as a download location is:

www.mraguas.com/43543r34r/843tf.exe

If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52 and according to this Hybrid Analysis shows that it phones home to:

62.76.191.108 (Clodo-Cloud / IT-House, Russia)

This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.